Prototype malware for Windows Phone 8 OS allegedly created

Details are murky but according to the site Naked Security, a young “ethical hacker" named Shantanu Gawde has created the world’s first Windows Phone 8 malware. The program can reportedly “…steal contacts, upload pictures and steal private data of users, gain access to text messages etc." and details about the exploit will be revealed at the Malcon security conference in New Delhi, India, later in November.

Gawde is evidently a well-known computer prodigy, being the world's youngest Microsoft Certified Application Developer (MCAD) at age 16. What is more impressive is that he earned that designation when he was aged 7. Microsoft has been made aware of the presentation but not the details and are promising action upon any weaknesses found, should they be revealed as legitimate concerns.

Windows Phone 8 is theoretically more secure than its predecessor due to secure boot and native 128-bit Bitlocker encryption though there is one area where a potential hole can be exploited: sideloading XAP files via the microSD card. Though most Windows Phone 8 devices don’t even have a microSD slot, in theory files can be loaded from the card via the Store app. The only other option would of course be an exploit via Microsoft’s Store certification overlooking a flaw or a weakness found in the browser.

We’ll just have to wait for Gawde to reveal his cards in a few weeks to see if this is a one in a million weakeness or something that every Windows Phone user should be concerned. Either way, no matter what happens we’re still confident that Windows Phone 8 is more secure than Android. And that platform’s security weakness has not hindered sales one bit.

There seems to be lots of confusion about the WP app security model. Let me clarify:

- Each app has a "manifest" file that specifies what services it requires (e.g. location, media library, identity)
- Microsoft has a "manifest checker" program. They run this on submitted apps to check if the manifest is indeed correct
- If so, it gets signed by Microsoft and put in the marketplace. Otherwise it gets rejected.
- When you install an app, you agree to allow the access to the services specified in it's manifest. (Provided it's signed of course!)

Thus security relies on the following:
- Microsoft's private key used for app signing
- The signing and verifiing mechanism (RSA?)
- You having the correct public key
- The app manifest checker program
- Only certified apps being executed

Therefore a "hack" on WP must be via: - A vulnerability in an app with permissions to access sensitive services (e.g. IE)- A flaw in the manifest checker (e.g. not detecting that an app accesses location)- A leak of Microsoft's public key (and a deployment vector for the illegitimately certified app)- A cryptographic break of the signing mechanism (but then apps are the least of your worries)

To me this sounds like a flaw in the manifest checker, but I'd have to know more to be sure.

This is why you should always be very wary about side-loading apps from sources other than Microsoft.

Make a simple game or app which have all permissions to access user data. Yes WP8 gives these APIs, after user consent, just like all other mobile platforms.

Submit to AppHub

Users install the app which shows what data access permissions this will have

Upon using the app, it reads and sends all the data to own server

User is hacked!!

I call it nonsense, this is possible on all platforms. Even today ad SDKs collect more data than you imagine. This the reason I install apps from recognized publishers. And avoid ad ware apps at most.
// chall3ng3r //

A prodigy, haven't seen one that has contributed to the good of humanity. We still wait to see a time machine, a worm hole, a transporter, a ship traveling a light speed, a fountain of youth, a mech. No, this youth prodigy or the many that is have nothing better bug create a virus/malware for WP. God, please be serious. There are so many good things i could do with their gift!!!!!!!!

Meh...To be honest, Ive never quite believed the hype on this kid. MCAD is not as hard as it seems since there are cheat programs you can use to study, and when I took mine, the class was pretty much a rehearsal for the test. And when I say rehearsal, i mean, it was pretty much the test on the questions were out of order....No real learning.

I can't say I'm surprised. I expecting something like this to happen ever since they merged Windows Phone with the NT kernel. That opened up a whole host of new vulnerabilities that weren't there using the previous CE kernel.

Encryption does nothing for addressing malware concerns, you do know this, right? There were no vulnerabilities in WP7 that could get at all of your contacts and images. It simply never existed.

WP8 is barely out for a week or two and already this vulnerability sprouts its ugly head. Switching to the NT kernel did some awesome and amazing things for the platform. It also allows for more cross-platform exposure to malware and other vulnerabilities as well due to the tightly shared kernel.

I gotta feeling this is gonna turn out as the infamous SMS bug. No credible source confirmed it, noone has seen it in the wild or has been able to reproduce it, Microsoft never officialy patched it and the world has forgotten about it.
And also, the kid might be just looking for his another 15 minutes of fame.

I fail to see why this sort of hacking person, if they are so innocent, just doesn't give the information to Microsoft. All that publishing about it does is spread the information about the weakness around to people who want to exploit it.

Would not be surprised if this turns out to be one of those 'IF you do this (not normally possible) and then IF this is available (not under normal circumstances) and IF you then are are able to access that (not normally possible) by going through this (not normally available) you MAY be able to get to this info provided you can get out of THIS (not normally possible).'
The average journalist will then paraphrase to; 'You can steal THIS, so WP8 is a security risk'

WP may be more secure and android undoubtedly less so but you can be sure the mainstream tech press will turn the story on its head and try to portray WP as the more vulnerable OS, convieniently ignoring the multitude of android malware and confirmed infections to date.

“…steal contacts, upload pictures and steal private data of users, gain access to text messages etc"
Aren't these APIs built into the operating system? Doesn't seem like it would be hard or even an "exploit" to do this. People would be pissed if their third party applications weren't allowed to access photos or the internet, which is all you need to do what this "malware" does.

It really depends. Everything can be hacked ect with the right access. If this requires an app to be installed, then its no big deal. Thats the reason Apple & MS decided on controlled store fronts. A Browser directed malware exploit would be bad, but even iOS had an issue with that not long ago. They are easily fixed.